Project

General

Profile

Actions

Feature #2926

closed

TLS offloading with mod_sockproxy

Added by flynn over 2 years ago. Updated about 2 months ago.

Status:
Fixed
Priority:
Low
Category:
mod_sockproxy
Target version:
ASK QUESTIONS IN Forums:
No

Description

Is it (easy) possible, to have SSL/TLS offloading with mod_sockproxy?

Configuring lighttpd as a reverse proxy with TLS offloading works perfect,
but if I replace the

proxy.server = ...

line with
sockproxy.server = ...

it does not decrypt the stream.

Actions #1

Updated by gstrauss over 2 years ago

  • Status changed from New to Wontfix
  • Priority changed from Normal to Low

The forums or IRC are more appropriate "forums" for pie in the sky questions than is the issue tracker.

Is it (easy) possible, to have SSL/TLS offloading with mod_sockproxy?

Please don't ever ask if something is "easy" unless you're volunteering to do it and asking for guidance (in which case the developer forum is the place to do it)

As for possible, anything is possible, but that isn't what mod_sockproxy was designed to do (please read the doc), and there are no current plans to change what mod_sockproxy was designed to do.

Actions #2

Updated by gstrauss about 2 months ago

  • ASK QUESTIONS IN Forums set to No

Is it (easy) possible, to have SSL/TLS offloading with mod_sockproxy?

Update: someone posted on IRC #lighttpd (irc.libera.chat) that this works for them with mod_sockproxy and mod_openssl, so perhaps this now works with a more recent version of lighttpd (than when this question was originally posted (Jan 2019)).

Actions #3

Updated by gstrauss about 2 months ago

Separately, I would like to apologize for the previous rude response.

Actions #4

Updated by flynn about 2 months ago

I tried again and it works now for me too.
Maybe I missed to enable the ssl-engine inside the the $SERVER["socket"] section two years ago ...

An equivalent to $HTTP["host"] would be very usefull, to switch between with SNI by the client requested host names.

Actions #5

Updated by gstrauss about 2 months ago

  • Category set to TLS
  • Status changed from Wontfix to Fixed

See also feature request #3081

FYI: If your non-HTTP TLS client provides SNI, #3081 suggests that lighttpd might reject the connection due to ALPN mismatch with the HTTP-specific ALPNs offered by lighttpd.

(It should not be surprising that a server named "lighttpd" with an "httpd" suffix currently provides HTTP-specific ALPNs.)

Actions #6

Updated by gstrauss about 2 months ago

  • Category changed from TLS to mod_sockproxy
Actions

Also available in: Atom